openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes

Add default CA store to use when haproxy_backend_ca is true

Browse Source 
If haproxy_backend_ca set to true, default to using system CA
so you dont have to specify the exact CA to use.

Change-Id: I536c32a0b152a2b754787e07574472ecfaebd7e7
This commit is contained in:
James Gibson
2021-12-15 14:06:25 +00:00
parent 33dbb82bbb
commit 92dac326a9
5 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/configure-haproxy.rst
View File

@@ -271,6 +271,8 @@ An example HTTP service could look like:
# If backend connections should be secured with SSL (default False) # If backend connections should be secured with SSL (default False)
haproxy_backend_ssl: True haproxy_backend_ssl: True
haproxy_backend_ca: /path/to/ca/cert.pem haproxy_backend_ca: /path/to/ca/cert.pem
# Or to use system CA for validation
# haproxy_backend_ca: True
# Or if certificate validation should be disabled # Or if certificate validation should be disabled
# haproxy_backend_ca: False # haproxy_backend_ca: False

4
templates/service.j2
View File

@@ -132,7 +132,7 @@ backend {{ item.service.haproxy_service_name }}-back
{% endif %} {% endif %}
{% if item.service.haproxy_backend_ca %} {% if item.service.haproxy_backend_ca %}
{% set _ = entry.append("ca-file") %} {% set _ = entry.append("ca-file") %}
{% set _ = entry.append(item.service.haproxy_backend_ca) %} {% set _ = entry.append(item.service.haproxy_backend_ca is string | ternary(item.service.haproxy_backend_ca, haproxy_system_ca)) %}
{% else %} {% else %}
{% set _ = entry.append("verify none") %} {% set _ = entry.append("verify none") %}
{% endif %} {% endif %}
@@ -173,7 +173,7 @@ backend {{ item.service.haproxy_service_name }}-back
{% endif %} {% endif %}
{% if item.service.haproxy_backend_ca %} {% if item.service.haproxy_backend_ca %}
{% set _ = entry.append("ca-file") %} {% set _ = entry.append("ca-file") %}
{% set _ = entry.append(item.service.haproxy_backend_ca) %} {% set _ = entry.append(item.service.haproxy_backend_ca is string | ternary(item.service.haproxy_backend_ca, haproxy_system_ca)) %}
{% else %} {% else %}
{% set _ = entry.append("verify none") %} {% set _ = entry.append("verify none") %}
{% endif %} {% endif %}

3
vars/debian.yml
View File

@@ -24,3 +24,6 @@ haproxy_distro_packages:
haproxy_distro_certbot_packages: haproxy_distro_certbot_packages:
- certbot - certbot
# Set system CA store which can be used to verify backends
haproxy_system_ca: /etc/ssl/certs/ca-certificates.crt

3
vars/redhat.yml
View File

@@ -16,3 +16,6 @@
haproxy_distro_packages: haproxy_distro_packages:
- haproxy - haproxy
- nc # Used for the Ansible haproxy module - nc # Used for the Ansible haproxy module
# Set system CA store which can be used to verify backends
haproxy_system_ca: /etc/pki/tls/certs/ca-bundle.crt

3
vars/ubuntu.yml
View File

@@ -24,3 +24,6 @@ haproxy_distro_packages:
haproxy_distro_certbot_packages: haproxy_distro_certbot_packages:
- certbot - certbot
# Set system CA store which can be used to verify backends
haproxy_system_ca: /etc/ssl/certs/ca-certificates.crt